[opensuse-kde] Issues with KWallet
Hello everyone, KWallet is insecure [1] and gets annoying when your default access to internet is over wifi because it requires you to type the password everytime you start your Plasma session. Currently, there is the kwallet_pam package to workaround this kind of issue. Unfortunately this package is not available in the standard repository under Tumbleweed [2]. Why isn't it? I definitely think it should be in the official repository because this issue is really annoying. Best regards, Mariusz Wojcik PS: I hope KWallet gets replaced any time soon by KSecretService. [1]: http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/ [2]: https://software.opensuse.org/package/pam_kwallet -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Dne pondělí 2. května 2016 8:52:19 CEST, Mariusz Wojcik napsal(a):
KWallet is insecure [1] and gets annoying when your default access to internet is over wifi because it requires you to type the password everytime you start your Plasma session.
Not necessarily - I have encrypted disk, so that I do not have KWallet password and it doesn't ask for password on login. Otherwise the described behavior makes sense - secure storage must be unlocked before usage... -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/
In data lunedì 2 maggio 2016 08:52:19 CEST, Mariusz Wojcik ha scritto:
KWallet is insecure [1] and gets annoying when your default access to internet is over wifi because it requires you to type the password
You can work-around this issue if you set the connection as "all users can connect" in plasma-nm. In that case the credentials will be handled by NetworkManager (that might be another issue for the overly paranoid).
issue. Unfortunately this package is not available in the standard repository under Tumbleweed [2]. Why isn't it? I definitely think it
openSUSE contributor TheBlackCat has proposed a request for a new package half a month ago. Unfortunately neither me nor the rest of the team had time to review it until recently (this weekend). One hurdle that I'm not sure how to handle is setting PAM. In order to work correctly, the method needs to be added to all display managers that make request of it, or alternatively, be restricted only to SDDM. Either option has drawbacks. P.S.: The insecure bits for kwallet have been changed in more recent times. Personally I use it with a GPG smartcard, which is probably the safest way (but not the most convenient). -- Luca Beltrame - KDE Forums team KDE Science supporter GPG key ID: A29D259B
Am Montag, den 02.05.2016, 09:29 +0200 schrieb Luca Beltrame:> In data lunedì 2 maggio 2016 08:52:19 CEST, Mariusz Wojcik ha
scritto:
KWallet is insecure [1] and gets annoying when your default access to internet is over wifi because it requires you to type the password
You can work-around this issue if you set the connection as "all users can connect" in plasma-nm. In that case the credentials will be handled by NetworkManager (that might be another issue for the overly paranoid).
Maybe we shouldn't enforce paranoia because it seems just unsafe to give KWallet no password. In the case of KMail I would really like to have KWallet to encrypt passwords. Anyway, people, who are paranoid, could give KWallet the password handling for wifi.
issue. Unfortunately this package is not available in the standard repository under Tumbleweed [2]. Why isn't it? I definitely think it
openSUSE contributor TheBlackCat has proposed a request for a new package half a month ago. Unfortunately neither me nor the rest of the team had time to review it until recently (this weekend).
Maybe that's the solution for more paranoid people. Well, I don't care because I just like to have my wifi password saved anywhere.
One hurdle that I'm not sure how to handle is setting PAM. In order to work correctly, the method needs to be added to all display managers that make request of it, or alternatively, be restricted only to SDDM.
Well, idk but maybe you could look how Gnome solved it with gnome -keyring.
Either option has drawbacks.
P.S.: The insecure bits for kwallet have been changed in more recent times. Personally I use it with a GPG smartcard, which is probably the safest way (but not the most convenient).
Yeah, the GPG backend seems secure in countrary to the default backend. -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Am Montag, 2. Mai 2016, 09:29:41 schrieb Luca Beltrame:
You can work-around this issue if you set the connection as "all users can connect" in plasma-nm. In that case the credentials will be handled by NetworkManager (that might be another issue for the overly paranoid).
Actually, since 5.5 plasma-nm allows to store the connection credential centrally in NetworkManager (without using kwallet) also for a normal "user" connection. And even for a shared connection (i.e. with "Allow all users to connect" enabled), the default is to use kwallet now, so changing this alone won't "help" any more. But, the password dialog has a "disk" icon (on the right edge of the text field) that allows you to configure where the password should be stored, just click on that and a popup menu will open. In short, plasma-nm behaves exactly like nm-applet now in this regard. Unfortunately there's a bug in Qt 5.5 though (fixed in 5.6) that causes the disk icon to be hidden by the "eye" icon that shows/hides the password. You have to resize the window to make it visible. Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
participants (4)
-
Luca Beltrame -
Mariusz Wojcik -
Vojtěch Zeisek -
Wolfgang Bauer